Degradation of security measures

Following the publication of a recent article about Public Wi-Fi and the use of Virtual Private Networks (VPNs),  I have received questions about what is reasonable with websites attempting to block the use of VPNs. A recurring concern was specifically the blocking of VPN access through an unencrypted public Wi-Fi network.

VPNs are an excellent security measure, but because of how VPNs can circumvent geographic restrictions on content, many organisations have contractual requirements to take extra steps to restrict access. The problem is that because key entertainment sites such as the BBC, Netflix and Amazon Prime use VPN blocking, many VPN users who stream movies and television programs need to deactivate their VPN at some point.

Blocking access through a VPN is relatively easy as the services require IP addresses to function and websites can be configured to block traffic to these IP addresses or redirect traffic to a page asking for the VPN to be disabled. There are also other means such as blocking specific network ports. What makes it difficult is that as businesses create new VPN services with different IP addresses, and as identified, are subsequently blocked.

The use of a VPN also prevents content filtering because network traffic is encrypted. In the case of a public Wi-Fi, the service provider would struggle to stop for example the use of peer to peer file sharing to download illegal content, access to pornography in public, or access to extremist materials online. The reality is that because of how some people use VPNs to perform unlawful activities; website owners are continuously introducing countermeasures, and some countries have either banned the use of VPNs or are currently attempting to do so.

Consider how people become conditioned to do things in a certain way and that potentially harmful activity becomes normal, with consequences that are never fully appreciated. As more websites and services ask for VPNs to be disabled to access the content, the more people will get used to the idea that disabling a VPN is the normal thing to do. Consequently, it becomes less effective as a security measure. This behavioural change has already taken place in other areas:

  • Browsers, for example, have the option to disable cookies, but many websites will not function if cookies are disabled. Websites consequently ask for cookies to be enabled, and the measures that are there to add extra privacy are no longer sufficient. Although you can manage cookies within browser settings, for many people, this can be painful, and the path of least resistance is to have cookies enabled and ignore the settings. In short, the way websites use cookies often undermines the browser security measures.
  • Advert blocking components in browsers are another example, and many websites perform checks. If they have, visitors are redirected to a page instructing them to deactivate the advert blocker to view the content. Again, the more this happens, and the more frequently these instructions are followed, the less effective advert blocking becomes, and with many adverts containing malware, the risks of exposure increase.
  • Terms and conditions – most of the time, terms and conditions are so complicated and long-winded that nobody has the time to read them or even care what they include. People have got used to the idea that terms and conditions are accepted by just ticking a box to say they have read them and agree to the terms.
  • Cookie notifications – how websites have implemented cookie notifications is annoying and interrupts the users’ experience of websites. The inevitable outcome is that people will click OK to accept cookies to get rid of the banner or pop-up that is preventing them from reading the content without any consideration or care about cookies.

What would you think if you visited a website and it redirected you to a page that told you that the site has detected that you have ‘ABC XYZ Antivirus’ installed and the site requires you to disable it before displaying content? I would expect people would be sensible enough to leave the site and not follow the instructions.

Reporting Copycat Websites

The subject of copycat websites and services came up again this week when I received a call from a friend who explained that his wife had applied to update her driving licence details online, a service that is usually free of charge. The site asked her to pay a fee after entering all her personal information into the website. In this case, she realised something was wrong because she knew it was usually a free service and stopped before providing credit card details. No money exchanged hands, but this doesn’t change the quantity of personal information held by the website.

This call reminded me of an article (Copycat Services) I wrote last year about how fraudsters are still setting up websites which offer official services at potentially extortionate prices that are usually cheap or completely free of charge. This article is a follow-up to focus on what actions to take if you discover a copycat website at any stage from finding the site through to realising after the fact that you have paid for services using a fake website.

Copycat services are not necessarily illegal, and this depends on the circumstances. For example, accountants often process self-assessment tax returns on behalf of their customers. The problem, and the reason this is so much of an issue, is that in most cases, websites manipulate people into believing they are using a genuine service; when in reality they are using a 3rd party to act on their behalf.

Communicating directly with the copycat service provider to resolve issues may seem like a good idea, such as to process a refund or ask for personal data to be removed. However, depending on the level of fraud involved, this could be akin to asking a mugger to give you back your wallet. If a company is going to operate in this way to deceive you into parting with your money, it is reasonable to assume that they don’t care about your personal information or any other safeguards in connection with financial transactions.

  • Action Fraudhttps://www.actionfraud.police.uk the UK’s national reporting centre for fraud and cybercrime. Contact Action Fraud on 0300 123 2040. Where appropriate, Action Fraud will pass along information to the National Fraud Intelligence Bureau.
  • Google – If you found the website using Google, visit https://safebrowsing.google.com/safebrowsing/report_phish/ to report the website and have it removed from search results. Google announced several years ago that it would remove copycat websites from search results, so it is reasonable to expect that they will take action.
  • Your Bank – Inform your bank about the transaction, report it as fraud and ask them to process a chargeback. Depending on the circumstances and the website used, the bank may cancel the financial transaction, but could equally reject the request on the basis that you were complicit. Challenge any instruction to communicate with the potentially fraudulent service provider directly in the interest of personal safety and to prevent further exposure to fraud.
  • CIFAS (Credit Industry Fraud Avoidance System) – Protective registration is available, which logs information about you in the National Fraud Database used by financial services institutions to prevent fraud. Consequently, financial institutions take more comprehensive measures to verify your identity.
  • Credit File – request a copy of your credit file from credit reference agencies such as Experian and Equifax. One-off credit reports are available for free and additional services are available to monitor changes on an ongoing basis actively.